Linux Security: Tips from the Experts

Is Linux more secure than Windows, or vice versa? Fueled by conflicting industry reports, this controversy keeps raging. To arrive at a well-informed opinion on the subject, you need to know as much as you can about what kinds of security measures are actually available for Linux. Moreover, if you’re administering Linux already, some implementation tips from Linux security pros can undoubtedly come in handy.

“It’s hard to talk about ‘Linux’ as an operating system, since there are so many different variations. A number of different OSes — such as FreeBSD, VMS, mainframe OSes like VM or VSE, or other proprietary OSes — may lay claim to the title of ‘most secure OS,'” observes Pete Lindstrom, CISSP, research director for Spire Security, LLC.

“The truth is that we don’t, as a community, attempt to figure out which OS is most secure. We rely on an ‘unpopularity’ contest to figure that out. Popularity is a fickle thing, though. Right now, Linux has some momentum in security over Microsoft’s OS family, but that can change quickly.”

The debate over OS security intensified in February of this year, when the Aberdeen analyst group released a report based on publicly available information from CERT. “Contrary to popular misconception, Microsoft does not have the worst track record when it comes to security vulnerabilities. Also contrary to public wisdom, Unix- and Linux-based systems are just as vulnerable to viruses, Trojans, and worms,” the report stated.

Positive Perceptions of Linux Security Pick Up Steam

Meanwhile, though, positive industry perceptions of Linux security actually seem to be picking up steam. A study by Evans Data Corp., released earlier this month, found that the number of developers who regard Linux as “the most innately secure operating system” leaped 19 percent over the past six months.

Jim Dennis, a principal at, is one practitioner who gives Linux a big security nod over other OSes. For one thing, Linux distros have been built from the ground up with security as a major focus, according to Dennis.

Dennis also points to the existence of many “hardened” Linux kernels — such as LIDS, RSBAC, and LOMAC — as well as “hardened” Linux distros, including SELinux, OpenWall Linux (OWL), and Adamantix. (Adamantix was previously dubbed Trusted Debian.)

Even without a hardened distro/kernel, though, there are many ways of battening down Linux’s hatches. Lindstrom and Dennis both provided plenty of advice for Linux administrators, across areas ranging from security policies to secure installation, including cryptography, protection of CGI and dynamic content, replacement of deprecated protocols, and more.

Page 2: Don’t Place the Cart Before the Security Horse